DEPLOYMENT GUIDE
MICROSOFT SKYPE FOR BUSINESS SERVER 2015 DEPLOYMENT WITH THUNDER ADC USING APPCENTRIC TEMPLATES (ACT)
A10 THUNDER ADC FOR INTELLIGENT LOAD BALANCING, SECURITY, ACCELERATION AND OPTIMIZATION FOR SKYPE FOR BUSINESS SERVER 2015 A10 Networks® Thunder® ADC line of Application OVERVIEW Delivery Controllers provides intelligent load balancing, security, acceleration and optimization for Microsoft Skype for Business Server 2015.
The purpose of this guide is to provide a step-by- step process for deploying A10 Thunder ADC as a load balancer in a Microsoft Skype for Business Server 2015 deployment using AppCentric Templates (ACT). Refer to Appendix A for the equivalent CLI-based configuration.
The following topology (Figure 1) is designed to support Skype for Business voice services, presence, instant messaging, desktop sharing, collaboration and Enterprise Voice Features for both internal and external users with a high availability (HA) system architecture. In this guide, one A10 Networks vThunder® ADC with four Application Delivery Partitions (ADPs) was used to deploy four (4) different zones/services: Front End, Internal Edge, External Edge and Reverse Proxy. The solution can be deployed with separate virtual or physical appliances for each service in the same way.
For additional Microsoft deployment guides such as Lync Server, Microsoft Exchange and/ TALK or SharePoint, please refer to https://www. a10networks.com/resources/deployment-guides. WITH A10
CONTACT US a10networks.com/contact TABLE OF CONTENTS
OVERVIEW ...... 2
DEPLOYMENT TOPOLOGY ...... 5
ACCESSING THUNDER ADC ...... 7
SERVICES REQUIRED FOR SKYPE FOR BUSINESS 2015 DEPLOYMENT ...... 8
THUNDER ADC CONFIGURATION USING APPCENTRIC TEMPLATES ...... 11
AppCentric Templates (ACT) Overview ...... 11
Configuration Using ACT ...... 11
Topology Builder ...... 12
Wizard ...... 18
CONFIGURATION ...... 30
DASHBOARD ...... 30
ADDITIONAL SECURITY FEATURE – DDOS MITIGATION (OPTIONAL) ...... 31
DDoS Mitigation ...... 31
SUMMARY ...... 32
APPENDIX A – THUNDER ADC TEST CONFIGURATION ...... 33
Front End ...... 33
Internal Edge ...... 41
External Edge ...... 43
Reverse Proxy ...... 46
Shared Partition ...... 48
APPENDIX B – APPCENTRIC TEMPLATES UPGRADE ...... 49
Upgrading ACT using Cloud-based Update ...... 49
Upgrading ACT using Manual Update ...... 50
ABOUT A10 NETWORKS ...... 51
DISCLAIMER This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and conditions. SKYPE FOR BUSINESS SERVER 2015 ROLES Each server running Skype for Business Server runs one or more server roles. A server role is a defined set of Skype for Business Server functionalities provided by that server. The primary server roles are described below1.
FRONT END SERVERS In Skype for Business Server Enterprise Edition, the Front End Server is the core server role, and runs many basic Skype for Business Server functions.
The Front End Server includes the following:
• User authentication and registration • Presence information and contact card exchange • Address book services and distribution list expansion • IM functionality, including multiparty IM conferences • Web conferencing, PSTN Dial-in conferencing and A/V conferencing (if deployed) • Application hosting, for both applications included with Skype for Business Server (for example, Conferencing Attendant and Response Group application), and third-party applications • Web components to supported web-based tasks such as web scheduler and join launcher • (Optionally) Archiving, to archive IM communications and meeting content for compliance reasons • (Optionally if Persistent Chat is enabled) Persistent Chat Web Services for Chat Room Management and Persistent Chat Web Services for File Upload/Download • (Optionally) Monitoring, to collect usage information in the form of call detail records (CDRs) and call error records (CERs), which provide metrics about the quality of the media (audio and video) traversing your network for both Enterprise Voice calls and A/V conferences
A Front End pool is a set of Front End Servers, configured identically, that work together to provide services for a common group of users. Standard Edition servers cannot be pooled, whereas multiple Enterprise Edition Servers can exist in a pool to provide redundancy and scalability.
BACK END (BE) SERVER The Back End (BE) Servers run Microsoft SQL and provide database services for the front end pool. The information stored in the SQL servers includes user contact lists, presence information, conferencing details and conferencing schedule information. The SQL server can be configured as a single back end server; however, a cluster of two or more servers is recommended for failover. The BE Servers do not run any Skype for Business Server software. The BE server requirement can be implemented with Microsoft SQL Server 2012 or Microsoft SQL Server 2014 – Standard and Enterprise (64-bit edition)2.
EDGE SERVER Edge Server enables your users to communicate and collaborate with users outside the organization’s firewalls. These external users can include: the organization’s own users who are currently working offsite; users from federated partner organizations; and outside users who have been invited to join conferences hosted on your Skype for Business Server deployment. Each Edge Server has two network interfaces, external and internal. The external interface accepts connections initiated from the Internet, and the internal interface accepts connections initiated from the internal network.
1 https://technet.microsoft.com/en-us/library/dn933894.aspx
2 https://technet.microsoft.com/en-us/library/dn951388.aspx#DBs
4 OFFICE ONLINE SERVER Office Online Server is the next version of Office Web Apps Server and is used in Skype for Business Server 2015 for sharing and rendering of PowerPoint presentations.
REVERSE PROXY Reverse Proxy publishes to the Internet the web components of Front End Servers and Office Online Server (OOS) services.
DEPLOYMENT TOPOLOGY Figure 1 shows a Skype for Business Server 2015 deployment using Thunder ADCs. It provides the following services:
• Login and Presence functionality • Instant Messaging, including multiparty IM conferences • Audio/video calls • Desktop sharing • PowerPoint sharing
In this setup, one single vThunder ADC with four ADPs was used to deploy four (4) different zones/services: Internal/Front End, Internal Edge, External Edge and Reverse Proxy thereby enabling consolidation of resources.
Reverse Proxy
Skype for Business Web Skype for Skype for Client Business Clients Business Web Client Internal Clients
Edge01 AD/DNS/CA Back-End SQL Server Public IP Edge01
Edge Server Pool
FE01 OOS1 Skype for Business Clients FE02 OOS2
Front-End Office Online Internal Edge ADC Edge Internal External DNS ADC External Edge Server Pool Server Pool Internal Front-End ADC Front-End Internal
External Network Perimeter Network Internal Network
External Reverse Internal Internal Edge Proxy Edge Front-End
Figure 1: Lab topology
5 Table 1 shows Hostname and IP address on each element/device used in this guide (as shown in the above diagram).
ROLE LOAD BALANCING VIP DEVICE HOSTNAME IP ADDRESS
Active Directory (AD), Internal Certificate Authority (CA), Internal NA DC 10.0.3.10/24 DNS
FE01 10.0.3.12/24 Front End 10.0.3.123/24 FE02 10.0.3.13/24
Back End NA SQL 10.0.3.11/24
Edge01 192.0.2.21, 22, 23/24 External Edge 192.0.2.111, 112, 113/24 Edge02 192.0.2.31, 32, 33/24
Edge01 10.0.4.31/24 Internal Edge 10.0.4.30/24 Edge02 10.0.4.32/24
OOS1 10.0.3.15/24 Office Online Server (previously 10.0.3.125/24 Office Web Apps Server) OOS2 10.0.3.16/24
Front End VIP 10.0.3.123/24 Reverse Proxy 192.0.2.108 OOS VIP 10.0.3.125/25
External DNS NA ExternalDNS 198.51.100.10
External Clients NA ExternalClient
Internal Clients NA InternalClient
Notes specific to this guide:
1. This setup was tested with A10 Thunder ADC appliance running the A10 Networks Advanced Core Operating System (ACOS®) version 4.1.1-P1.
2. The A10 Networks AppCentric Templates (ACT) version was act-0911-17 (see Appendix B for details).
3. The solution was deployed with a single vThunder ADC device with four ADPs, one for each of the four (4) different zones/ services: Internal/Front End, Internal Edge, External Edge and Reverse Proxy. The solution can also be deployed in the same way using separate virtual or physical appliances for each service. Two devices are going to be required for high availability.
4. Microsoft Skype for Business Server 2015 was tested through communication with IM, Presence, Desktop Collaboration and Audio Video (AV) conferencing. Testing was performed for both internal and external users.
5. Testing was performed using Microsoft Skype for Business Server 2015 Enterprise Edition Server with 64-bit Microsoft SQL Server 2012 Enterprise Edition.
6. Skype for Business 2015 Server Front End and Edge Server components were running on Windows 2012 R2 (64-bit) Standard Edition Server. Office Online Server was running on Windows Server 2012 Datacenter Edition.
7. Skype for Business Basic Client 64-bit on Windows 10 was used for desktop client.
8. Office Online Server (OOS) was tested with PowerPoint presentation sharing.
6 ACCESSING THUNDER ADC This section describes how to access Thunder ADC from a Command Line Interface (CLI), Graphical User Interface (GUI) or AppCentric Templates (ACT):
• CLI – The CLI is a text-based interface in which you type commands on a command line. You can access the CLI directly through the serial console or over the network using either of the following protocols: - Secure protocol – Secure Shell (SSH) version 2 - Unsecure protocol – Telnet (if enabled) • GUI – This is a web-based interface in which you click buttons, menus and other graphical icons to access the configuration or management pages. From these pages, you can type or select values to configure or manage the device. You can access the GUI using the following protocol: - Secure protocol – Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) • AppCentric Templates (ACT) - A10 ACOS GUI plug-in module that enhances the user experience to deploy, monitor and troubleshoot applications in a frictionless manner. Obtain the latest ACT file and import it into ACOS. Refer to Appendix B for details on how to acquire and import the file. The AppCentric Templates can be accessed by opening the GUI by entering the Management IP in the browser’s address bar (e.g. https://172.31.31.31/) and navigating to System > App Template.
NOTE: HTTP requests are redirected to HTTPS by default on Thunder ADC.
Default Access Information:
• Default Username: “admin” • Default password: “a10” • Default IP address of the device: “172.31.31.31”
NOTE: For detailed information on how to access the Thunder ADC device, refer to the System Configuration and Administration Guide.
7 SERVICES REQUIRED FOR SKYPE FOR BUSINESS 2015 DEPLOYMENT The following tables list the load-balancing services required for a Skype for Business 2015 Enterprise Server deployment.
Table 2: Services on Front End Server
SERVICE PORT VPORT SOURCE FEATURE TEMPLATE USAGE NOTE NAME TYPE NAT
Persistence: Source-IP Used for Distributed Component Object Model (DCOM)- Front End 135 TCP Yes TCP: TCP idle-timeout based operations such as Moving Users, User Replicator Service Health Monitor: TCP port Synchronization and Address Book Synchronization.
Used for communication from Front End Servers to web Web Persistence: Source-IP farm fully qualified domain names (FQDNs) (the URLs Compatibility 443 TCP Yes TCP: TCP idle-timeout used by IIS web components). Service Health Monitor: TCP port Client SSL template is required if SSL offload is configured.
Persistence: Source-IP Used for web access from remote user. Web Server 4443 TCP Yes TCP: TCP idle-timeout Client SSL template is required if SSL offload is Component Health Monitor: TCP port configured.
Used for HTTPS communication between the Focus Persistence: Source-IP (Skype for Business Server component that manages Front End 444 TCP Yes TCP: TCP idle-timeout conference state) and the individual servers. Service Health Monitor: TCP port This port is also used for TCP communication between Survivable Branch Appliances and Front End Servers.
All internal SIP communications between servers (MTLS). Persistence: Source-IP Front End SIP communications between Server and Client (TLS). 5061 TCP Yes TCP: TCP idle-timeout Service SIP communications between Front End Servers and Health Monitor: TCP port Mediation Servers (MTLS). Also used for communications with Monitoring Server.
Table 3: Optional Services on Front End Server
SERVICE PORT VPORT SOURCE FEATURE TEMPLATE USAGE NOTE NAME TYPE NAT
Persistence: Source-IP Application Used for incoming SIP listening requests for application 5065 TCP Yes TCP: TCP idle-timeout Sharing Service sharing Health Monitor: TCP port
Persistence: Source-IP Response Used for incoming SIP requests for the Response Group 5071 TCP Yes TCP: TCP idle-timeout Group Service application Health Monitor: TCP port
Conferencing Persistence: Source-IP Attendant Used for incoming SIP requests for Attendant (dial-in 5072 TCP Yes TCP: TCP idle-timeout Service (Dial-in conferencing) Health Monitor: TCP port Conferencing)
Conferencing Persistence: Source-IP Used for incoming SIP requests for the Skype for Announcement 5073 TCP Yes TCP: TCP idle-timeout Business Server Conferencing Announcement service Service Health Monitor: TCP port (that is, for dial-in conferencing)
Persistence: Source-IP Call Park Used for incoming SIP requests for the Call Park 5075 TCP Yes TCP: TCP idle-timeout Service application Health Monitor: TCP port
Persistence: Source-IP Audio Test Used for incoming SIP requests for the Audio Test 5076 TCP Yes TCP: TCP Service service Health Monitor: TCP port
NOTE: Details of port and protocol Skype for Business 2015 Front End Server uses are described at the following URL: https://technet.microsoft.com/en-us/ library/gg398833.aspx
8 SERVICE PORT VPORT SOURCE FEATURE TEMPLATE USAGE NOTE NAME TYPE NAT
Fallback path for A/V media transfer between internal Persistence: Source-IP STUN/ and external users if UDP communication cannot be 443 TCP Yes TCP: TCP idle-timeout MSTURN established. TCP is used for file transfer and desktop Health Monitor: TCP port sharing.
STUN/ Persistence: Source-IP Preferred path for A/V media transfer between internal 3478 UDP Yes MSTURN Health Monitor: UDP port and external users.
Inbound/Outbound SIP traffic (to/from Director, Director Persistence: Source-IP pool virtual IP address, Front End Server or Front End Access/SIP 5061 TCP/MTLS Yes TCP: TCP idle-timeout pool virtual IP address) from/to Edge Server internal Health Monitor: TCP port interface.
Authentication of A/V users (A/V authentication service) Persistence: Source-IP from Front End Server or Front End pool IP address or SIP/MTLS 5062 TCP Yes TCP: TCP idle-timeout any Survivable Branch Appliance or Survivable Branch Health Monitor: TCP port Server using this Edge Server.
Table 4: Services on Internal Edge
NOTE: Details of port and protocol Skype for Business 2015 Edge Server uses are described at the following URL: https://technet.microsoft.com/en-us/library/ mt346416.aspx
SERVICE NAME PORT VPORT SOURCE NAT FEATURE TEMPLATE USAGE NOTE TYPE
Persistence: Source-IP No Client-to-server SIP traffic for external user Access/SIP(TLS) 443 TCP TCP: TCP idle-timeout (Optional: Yes) access Health Monitor: TCP port
Persistence: Source-IP No SIP signaling, federated and public IM Access/SIP(MTLS) 5061 TCP TCP: TCP idle-timeout (Optional: Yes) connectivity using SIP Health Monitor: TCP port
Persistence: Source-IP Web Conferencing/ No 443 TCP TCP: TCP idle-timeout Web Conferencing media PSOM(TLS) (Optional: Yes) Health Monitor: TCP port
Persistence: Source-IP A/V/ STUN/TURN negotiation of candidates over 443 TCP No TCP: TCP idle-timeout STUN, MSTURN TCP/443 Health Monitor: TCP port
A/V/ Persistence: Source-IP STUN/TURN negotiation of candidates over 3478 UDP No STUN, MSTURN Health Monitor: UDP port UDP/3478
Table 5: Services on External Edge
NOTE: During feature selection (Figure 2) of the external Edge pool installation, you will be asked to deploy the Skype Edge Server pool with either single or multiple FQDNs and IP addresses. Deselecting the use a single FQDN and IP address option will enable the external Edge pool to have multiple IP configurations. The Thunder ADC device can be deployed in either a single IP configuration or a multiple IP configuration. In a multiple IP configuration, three public virtual IP addresses (VIPs) will be required for Access, WebConf and AV. For a single FQDN and IP address configuration, one public VIP will be required.
9
Figure 2: External Edge pool server feature selection
SERVICE NAME PORT VPORT SOURCE NAT FEATURE TEMPLATE USAGE NOTE TYPE
Persistence: Cookie Used for PowerPoint content sharing to Office Online Server Health Monitor: HTTP 443 TCP Yes Skype for Business clients. SSL Offload is Service Client SSL template: recommended. Required
Table 6: Service on Office Online Server (Option)
SERVICE NAME PORT VPORT SOURCE NAT FEATURE TEMPLATE USAGE NOTE TYPE
Health Monitor: TCP port Client SSL template: Used for communication to Skype Front End Required Web service from remote user. 443 >> Server SSL Template: Traffic sent to port 443 on the Reverse Proxy Published Web 4443 HTTPS Auto Required external interface is redirected to a pool on Service (redirect) A10 Networks port 4443 from the Reverse Proxy internal aFleX® TCL Scripting interface so that the pool Web Services can Technology or HTTP distinguish it from internal web traffic. Template: Required
Health Monitor: TCP port Client SSL Template: Required Office Online Server Server SSL Template: Used for PowerPoint content sharing/shared 443 HTTPS Auto Service Required from remote users. aFleX TCL Scripting or HTTP Template: Required
Table 7: Services on Reverse Proxy (Option)
NOTE: Details of ports and protocol of Reverse Proxy is described at the following URL: https://technet.microsoft.com/en-us/library/gg615011.aspx
10 THUNDER ADC CONFIGURATION USING APPCENTRIC TEMPLATES
APPCENTRIC TEMPLATES (ACT) OVERVIEW ACT is an embedded wizard-based configuration tool that enables organizations to apply best practices to deploying and securing their Skype for Business 2015 solution with minimal effort. A10 highly recommends the use of this configuration tool for the deployment and management of Skype for Business 2015, since these templates were developed with a focus on best practices. For that reason, most of the subsequent points can be easily configured via AppCentric Templates.
Refer to Appendix B for details on how to acquire and import the ACT file.
CONFIGURATION USING ACT To access ACT, first log into Thunder ADC using the web GUI:
• IP address: Management IP address • Default username: “admin” • Default password: “a10”
Go to System > App Templates
If prompted to specify username and password, log into ACT using your regular admin credentials:
Figure 3: ACT login page
Once you’ve logged into ACT, select Skype for Business from the AppCentric Templates menu.
There are four main sections in the Skype AppCentric Template:
1. Dashboard: The dashboard gives users a view of different statistics related to the current state of the system, including traffic statistics.
2. Topology Builder: This section enables you to configure partitions and network settings.
3. Wizard: The wizard provides users with a guided flow for deployment of Skype with Thunder ADC.
4. Configuration: This section provides users with the current configuration of the device as well as access to some advanced options.
11 Deploying Skype using ACT consists of two main series of steps:
1. Building the topology using Topology Builder: Skype for Business requires four application delivery partitions on a single Thunder ADC or four individual A10 Thunder ADC devices corresponding to the four server roles. If you plan to deploy Thunder ADC using ADPs, you need to first configure the topology using this Topology Builder.
2. Configuration of Skype deployment parameters using the Wizard
TOPOLOGY BUILDER In the left-pane, go to Skype for Business > Topology Builder
Overview
This section gives an overview of the topology we will deploy. The topology includes three subnets:
• Internal network: 10.0.3.0/24 • Internal perimeter network: 10.0.4.0/24 • External perimeter network: 192.0.2.0/24
Topology Builder will guide you to divide the Thunder ADC into 4 ADPs for the following roles:
• Front End ADC • Internal Edge ADC • External Edge ADC • Reverse Proxy ADC
Figure 4: Topology Builder
12 FRONT END ADC The Front End ADC load-balances traffic to the Front End Servers and optionally to the Office Online Servers. It is connected to the internal network 10.0.3.0/24.
Figure 5: Network interface configuration on Front End ADC
VLAN: 103 with IP address 10.0.3.1 /24 The VLAN ID and corresponding virtual interface IP address.
Interface: The physical port that is connected to the network – Ethernet 3.
Static Routes: The routes to be configured on this ADC. Enable this option and define a default route (0.0.0.0 /0) with gateway address of 10.0.3.254:
Figure 6: Route configuration on Front End ADC
13 INTERNAL EDGE ADC The Internal Edge ADC load-balances traffic towards the internal edge interfaces of the Edge servers. It is connected to the internal perimeter network 10.0.4.0/24.
Figure 7: Network interface configuration on Internal Edge ADC
VLAN: 401 with IP address 10.0.4.241 /24 The VLAN ID and corresponding virtual interface IP address. Interface: The physical port that is connected to the network – Ethernet 2. Static Routes: The routes to be configured on this ADC. Enable this option and define a default route (0.0.0.0 /0) with gateway address of 10.0.4.254:
Figure 8: Route configuration on Internal Edge ADC
14 EXTERNAL EDGE ADC The External Edge ADC load-balances traffic from external clients to the external edge interfaces of the Edge servers. It is connected to the external perimeter network 192.0.2.0/24.
Figure 9: Network interface configuration on External Edge ADC
VLAN: 102 with IP address 192.0.2.1 /24 The VLAN ID and corresponding virtual interface IP address. Interface: The physical port that is connected to the network – Ethernet 4. Static Routes: The routes to be configured on this ADC. Enable this option and define a default route (0.0.0.0 /0) with gateway address of 192.0.2.254:
Figure 10: Route configuration on External Edge ADC
15 REVERSE PROXY ADC The Reverse Proxy ADC is connected to two networks, the external perimeter network 192.0.2.0 /24 and the internal perimeter network 10.0.4.0 /24.
Figure 11: Network interface configuration on Reverse Proxy ADC
External VLAN: 105 with IP address 192.0.2.201 /24 The VLAN ID and corresponding virtual interface IP address.
External Interface: The physical port that is connected to the external perimeter network – Ethernet 5.
Internal VLAN: 106 with IP address 10.0.4.201 /24
The VLAN ID and corresponding virtual interface IP address.
Internal Interface: The physical port that is connected to the internal perimeter network – Ethernet 6.
Static Routes: The routes to be configured on this ADC. Enable this option and define the following static routes:
• Default route (0.0.0.0 /0) with next hop IP address 192.0.2.254 • Destination network 10.0.3.0 /24 with next hop IP address 10.0.4.254
16 Figure 12: Route configuration on Reverse Proxy ADC
REVIEW This section gives you an overview of the network topology.
Figure 13: Configuration overview
17 If fine, click Finish and you will be able to see the equivalent CLI configuration that will be pushed to the Thunder ADC:
Figure 14: CLI configuration generated by ACT
You can either click APPLY to push and apply the configuration on the Thunder ADC device, or you can click “Copy” to copy the configuration and then manually apply through the CLI.
WIZARD Once you have finished defining the four ADPs on the Thunder ADC with the corresponding network configuration, launch the Skype Wizard to create load balancing virtual services and policies for Skype for Business.
To access Wizard, in the left-pane, go to Skype for Business > Wizard
You will see the two deployment options:
• Multiple ADPs on a single A10 ACOS device • Single A10 ACOS device per role
In this setup, we used the option of multiple ADPs on a single device, hence choose that option and click Next.
18 Figure 15: Skype for Business Wizard - Deployment options
WIZARD – FRONT END The Skype Front End Server pool is a core component and composed of one or more Skype Front End Servers. IM/Presence, every Conference service, collaboration and voice are some of the services provided by the Front End pool. If there are multiple Front End Servers in a pool and one of them is under service outage mode, the rest of the healthy Front End Servers continue to provide all services to the end user.
Thunder ADC
Office Online Servers
HTTPS/443
HTTP/80 Office Online Server
TCP/135 TCP/135, 443, 444, 4443, 5061 TCP/443 TCP/444 TCP/4443 TCP/5061 TCP/5065, 5071, 5072, 5073, TCP/5065, 5071, 5072, 5075, 5076 Skype Front End Skype Front Skype Front End Pool 5073, 5075, 5076
Figure 16: Load balancing diagram for Front End pool and Office Online Servers
19 In this section, we configure a redundant Skype Server Front End Enterprise pool (services) on the Thunder ADC. Wizard automatically configures all required virtual services to load balance the Front End Enterprise pool.
Figure 17: Front End ADP configuration for Skype Front End servers
• Front End Virtual IP: 10.0.3.123 • Front End Servers: - FE1: 10.0.3.12 - FE2: 10.0.3.13
WIZARD - OFFICE ONLINE SERVER FARM Office Online Server (OOS) is the successor to Office Web Apps Server 2013. With Skype for Business Server 2015, OOS enables high fidelity viewing of PowerPoint Online when sharing PowerPoint presentations during meetings.
This section is optional and describes how to configure load balancing for an OOS server farm on Thunder ADC along with SSL Offload. SSL offload configuration is recommended for Office Online Server according to the Microsoft Tech Net site3.
3 https://technet.microsoft.com/en-us/library/jj219435(v=office.16).aspx#loadbalancer
20 Figure 18: Front End ADP configuration for Skype Office Online Servers
• Office Online Virtual IP : 10.0.3.125 • Office Online Servers: - OOS1: 10.0.3.15 - OOS2: 10.0.3.16 CREATE OR IMPORT SSL CERTIFICATE Create or import SSL server certificate to perform SSL Offload on Thunder ADC. In this test environment, the following data is being used:
• Save As: OOSCert • Certificate Format: PFX (choose proper certificate file format) • Certificate File: OOSCert.pfx (located on local computer) • Password: Password used to protect the pfx file
21 Figure 19: Import SSL server certificate into Front End ADP
ACT will additionally configure the following for the front-end and office online services:
• Load-balancing using least-connection method • TCP template with idle-timeout of 1800 seconds • Source-IP and cookie persistence templates • Per-port health check monitors • Cipher template consisting of the following ciphers: - TLS1_RSA_AES_128_SHA - TLS1_RSA_AES_256_SHA - TLS1_RSA_AES_128_GCM_SHA256 - TLS1_RSA_AES_256_GCM_SHA384 - TLS1_ECDHE_RSA_AES_128_SHA - TLS1_ECDHE_RSA_AES_256_SHA - TLS1_ECDHE_RSA_AES_128_SHA256 - TLS1_ECDHE_RSA_AES_128_GCM_SHA256
WIZARD - INTERNAL EDGE The internal Edge pool handles traffic from internal Skype server components or from Skype clients to remote Skype clients. An internal Edge pool doesn’t have multiple roles, unlike an external Edge pool (Access, Web Conf, A/V).
Note that the internal Edge interface and external Edge interface must use the same type of load balancing. You cannot use DNS load balancing on one interface and hardware load balancing on the other.
Wizard automatically configures all required virtual services to load balance the internal edge pool.
22
Thunder ADC
TCP/443 TCP/443
UDP/3478 UDP/3478
TCP/5061 TCP/5061
TCP/5062 Internal Edge TCP/5062
TCP/8057 TCP/8057
Skype Internal Edge Pool
Figure 20: Load balancing diagram for internal Skype Edge pool
Figure 21: Internal Edge ADP configuration
• Internal Edge Virtual IP : 10.0.4.30 • Internal Edge Servers: - InternalEdge1: 10.0.4.31 - InternalEdge2: 10.0.4.32
23 ACT will additionally configure the following:
• Load-balancing using least-connection method • TCP template with idle-timeout of 1800 seconds • Source-IP persistence template • Per-port health check monitors
WIZARD - EXTERNAL EDGE Skype Edge Server allows remote users to access internal Front End Server resources through the enterprise firewall and the DMZ/perimeter network. Remote users can use full Skype functionalities, including IM/Presence, Conference, Collaboration and Enterprise Voice without a VPN connection if the Skype Edge pool is deployed.
The Skype Edge pool can be deployed with either a single Edge Server or multiple Edge Servers. For redundancy purposes, load balancing is required in order to deploy multiple Edge Servers.
Thunder ADC
TCP/443 TCP/443
UDP/5061 UDP/5061 Access Edge
TCP/443 TCP/443 Web Conf Edge Web
TCP/443 TCP/443
TCP/3478 TCP/3478 A/V Edge
Skype External Edge Pool
Figure 22: Load balancing diagram for external Edge pool
In figure 2, we had deselected the use a single FQDN and IP address option for the external Edge pool and hence over here we configure the External Edge ADC with three unique virtual IP addresses (VIPs) for Access, WebConf and A/V.
Wizard automatically configures all required virtual services to load balance the external edge pool.
24 Figure 23: External Edge ADP configuration
• External Edge Virtual IP : ACT will additionally configure the following: - Access: 192.0.2.111 • Load-balancing using least-connection method - Web Conference: 192.0.2.112 • TCP template with idle-timeout of 1800 seconds - A/V: 192.0.2.113 • Source-IP persistence template • External Edge Servers: • Per-port health check monitors - Access • ExternalEdge1-access: 192.0.2.21 • ExternalEdge2-access: 192.0.2.31 - Web Conference: • ExternalEdge1-web: 192.0.2.22 • ExternalEdge2-web: 192.0.2.32 - A/V • ExternalEdge1-av: 192.0.2.23 • ExternalEdge2-av: 192.0.2.33
25 WIZARD - REVERSE PROXY Reverse Proxy is used for publishing Web Services of Skype Front End Server and Office Online Servers to remote access users through the Internet.
Thunder ADC
Office Online Servers Thunder ADC
Server VIP HTTP/80
HTTPS/443 Office Online
HTTPS/443
TCP/4443 Reverse Proxy Reverse
TCP/4443 Server VIP
FQDN based selection of service group: End Skype Front Skype Front End Pool Port 443 HTTPS: • Skype Web Services URLs: TCP 4443 • Skype Office Online Server URL: HTTPS 443
Figure 24: Load-balancing diagram for Reverse Proxy
Figure 25: Reverse Proxy ADP configuration
26 • Reverse Proxy Virtual IP: 192.0.2.108 • Front End VIP: 10.0.3.123 • Office Online VIP: 10.0.3.125 • Office Online FQDN: oos.s4b.com
CREATE OR IMPORT CERTIFICATES Import the SSL server certificate used for access by remote users. Usually it is issued by a public CA. In this test environment, the following data is being used:
• Save As: SSL_Cert - Certificate Format: PEM - Server Certificate File: SSL_Cert.crt (on local computer) - Server Private Key File: SSL_Key (on local computer)
Figure 26: Import SSL server certificate on Reverse Proxy ADP
The Reverse Proxy uses TLS to communicate with the Front End ADC and thus you need to also import the root certificate of the CA, which issues the internal SSL server certificate for Skype Front End Pool and OOS. Usually, the internal enterprise CA is used for issuing internal SSL server certificates.
• Save As: InternalRootCA • Certificate Format: PEM • Certificate File: InternalRootCA.crt (on local computer)
27 Figure 27: Import CA certificate on Reverse Proxy ADP
ACT will additionally configure the following:
• Per-port health check monitors • Cipher template consisting of the following ciphers: - TLS1_RSA_AES_128_SHA - TLS1_RSA_AES_256_SHA - TLS1_RSA_AES_128_GCM_SHA256 - TLS1_RSA_AES_256_GCM_SHA384 - TLS1_ECDHE_RSA_AES_128_SHA - TLS1_ECDHE_RSA_AES_256_SHA - TLS1_ECDHE_RSA_AES_128_SHA256 - TLS1_ECDHE_RSA_AES_128_GCM_SHA256 • URL/host switching to switch traffic to either the Office Online VIP or to Front End VIP on the Front End ADC based on the URL. Traffic with FQDN of oos.s4b.com will be directed towards Office Online VIP (port 443) while other traffic will be sent to the Front End VIP (port 4443).
28 WIZARD - REVIEW This section gives an overview of the configurations settings made using ACT:
Figure 28: Configuration overview
If fine, click Finish and you will be able to see the equivalent CLI configuration that will be pushed to the Thunder ADC:
Figure 29: CLI configuration generated by ACT
You can either click APPLY to push and apply the configuration on the Thunder ADC device, or you can click “Copy” to copy the configuration and then manually apply through the CLI.
29 CONFIGURATION The configuration section provides users with the current configuration of the device as well as access to some advanced options.
Figure 30: Advanced configuration options
DASHBOARD The dashboard provides real-time visibility into the Skype application by rendering pre-defined tiles and charts. These visuals provide an optimized view for real-time application monitoring.
Figure 31: Dashboard for real-time monitoring
30 ADDITIONAL SECURITY FEATURE – DDOS MITIGATION (OPTIONAL) The following section shows an additional security feature called DDoS Mitigation that can be implemented within the deployed solution.
DDOS MITIGATION This section describes an additional security feature to protect applications from Distributed Denial of Service (DDoS) attacks. To configure this feature within the ACOS solution, navigate to Security > > DDoS.
The DDoS protection feature is a global configuration. To enable this feature, select the necessary DDoS attacks you would like to drop. In the below figure, we have selected the DDoS attack mitigation required. Once completed, click Update and Save to save the configuration.
Figure 32: DDoS protection
The following IP anomaly filters are supported for system-wide Policy-Based Server Load Balancing (PBSLB), although you can also use them with¬out PBSLB:
• Invalid HTTP or SSL payload • Zero-length TCP window • Out-of-sequence packet
NOTE: These filters are supported only for HTTP and HTTPS traffic.
31 SUMMARY This document describes how to configure Thunder ADC as a load balancer and Reverse Proxy to support Microsoft Skype for Business Server 2015 and Office Online Server (OOS) using AppCentric Templates (ACT).
Deploying Thunder ADC as a load balancer and Reverse Proxy for Microsoft Skype for Business Server 2015 and OOS offers the following features and benefits:
• Transparent application load sharing • High availability for Skype servers, ensuring users can access Skype applications without disruption • Scalability, as the Thunder ADC device transparently load balances multiple Skype communication servers • Higher connection throughput to enhance end user experience • Improved server performance due to server offloading, including SSL Offload • Protection against DDoS attacks using integrated DDoS protection capabilities • Protection against web application attacks through Web Application Firewall (WAF) • Consolidated roles on a single platform through multiple partitions
Thunder ADC offers a cost-effective way for organizations to optimize their Skype for Business Server 2015 deployments, empowering employees to connect, communicate, and collaborate with Skype.
For more information about Thunder ADC products, please refer to: www.a10networks.com/adc www.a10networks.com/resources/solution-briefs www.a10networks.com/resources/case-studies
32 APPENDIX A – THUNDER ADC TEST CONFIGURATION Following is the Thunder ADC configuration used in an actual test environment.
FRONT END active-partition frontend tcp_vs_fe ! method tcp port 4443 ! ! vlan 103 health monitor Hm_vip_10_0_3_123_5061_tcp untagged ethernet 3 user-tag act_sfb_Hm_vip_10_0_3_123_5061_ tcp_vs_fe router-interface ve 103 method tcp port 5061 user-tag act_sfb_frontend_vlan_103 ! ! health monitor Hm_vip_10_0_3_123_5065_tcp interface ethernet 3 user-tag act_sfb_Hm_vip_10_0_3_123_5065_ enable tcp_vs_fe user-tag act_sfb_frontend_eth_3 method tcp port 5065 ! ! interface ve 103 health monitor Hm_vip_10_0_3_123_5070_tcp user-tag act_sfb_frontend_ve_103 user-tag act_sfb_Hm_vip_10_0_3_123_5070_ ip address 10.0.3.1 255.255.255.0 tcp_vs_fe ! method tcp port 5070 ! ! ip route 0.0.0.0 /0 10.0.3.254 health monitor Hm_vip_10_0_3_123_5071_tcp ! user-tag act_sfb_Hm_vip_10_0_3_123_5071_ tcp_vs_fe health monitor Hm_vip_10_0_3_123_135_tcp method tcp port 5071 user-tag act_sfb_Hm_vip_10_0_3_123_135_ tcp_vs_fe ! method tcp port 135 health monitor Hm_vip_10_0_3_123_5072_tcp ! user-tag act_sfb_Hm_vip_10_0_3_123_5072_ tcp_vs_fe health monitor Hm_vip_10_0_3_123_443_tcp method tcp port 5072 user-tag act_sfb_Hm_vip_10_0_3_123_443_ tcp_vs_fe ! method tcp port 443 health monitor Hm_vip_10_0_3_123_5073_tcp ! user-tag act_sfb_Hm_vip_10_0_3_123_5073_ tcp_vs_fe health monitor Hm_vip_10_0_3_123_444_tcp method tcp port 5073 user-tag act_sfb_Hm_vip_10_0_3_123_444_ tcp_vs_fe ! method tcp port 444 health monitor Hm_vip_10_0_3_123_5075_tcp ! user-tag act_sfb_Hm_vip_10_0_3_123_5075_ tcp_vs_fe health monitor Hm_vip_10_0_3_123_4443_tcp method tcp port 5075 user-tag act_sfb_Hm_vip_10_0_3_123_4443_ !
33 health monitor Hm_vip_10_0_3_123_5076_tcp template_vip_10_0_3_123_4443 user-tag act_sfb_Hm_vip_10_0_3_123_5076_ user-tag act_sfb_persist_template_ tcp_vs_fe vip_10_0_3_123_4443_vs_fe method tcp port 5076 ! ! slb template persist source-ip persist_ template_vip_10_0_3_123_5061 health monitor Hm_vip_10_0_3_125_80_http user-tag act_sfb_persist_template_ user-tag act_sfb_Hm_vip_10_0_3_125_80_ vip_10_0_3_123_5061_vs_fe http_vs_oo ! method http port 80 expect wopi-discovery url GET /hosting/discovery slb template persist source-ip persist_ template_vip_10_0_3_123_5065 ! user-tag act_sfb_persist_template_ slb template cipher Ccipher_ vip_10_0_3_123_5065_vs_fe vip_10_0_3_125_443 ! TLS1_RSA_AES_128_SHA slb template persist source-ip persist_ TLS1_RSA_AES_256_SHA template_vip_10_0_3_123_5070 TLS1_RSA_AES_128_GCM_SHA256 user-tag act_sfb_persist_template_ TLS1_RSA_AES_256_GCM_SHA384 vip_10_0_3_123_5070_vs_fe TLS1_ECDHE_RSA_AES_128_SHA ! TLS1_ECDHE_RSA_AES_256_SHA slb template persist source-ip persist_ template_vip_10_0_3_123_5071 TLS1_ECDHE_RSA_AES_128_SHA256 user-tag act_sfb_persist_template_ TLS1_ECDHE_RSA_AES_128_GCM_SHA256 vip_10_0_3_123_5071_vs_fe user-tag act_sfb_Ccipher_ ! vip_10_0_3_125_443_vs_oo slb template persist source-ip persist_ ! template_vip_10_0_3_123_5072 slb template persist cookie persist_ user-tag act_sfb_persist_template_ template_vip_10_0_3_125_443 vip_10_0_3_123_5072_vs_fe user-tag act_sfb_persist_template_ ! vip_10_0_3_125_443_vs_oo slb template persist source-ip persist_ ! template_vip_10_0_3_123_5073 slb template persist source-ip persist_ user-tag act_sfb_persist_template_ template_vip_10_0_3_123_135 vip_10_0_3_123_5073_vs_fe user-tag act_sfb_persist_template_ ! vip_10_0_3_123_135_vs_fe slb template persist source-ip persist_ ! template_vip_10_0_3_123_5075 slb template persist source-ip persist_ user-tag act_sfb_persist_template_ template_vip_10_0_3_123_443 vip_10_0_3_123_5075_vs_fe user-tag act_sfb_persist_template_ ! vip_10_0_3_123_443_vs_fe slb template persist source-ip persist_ ! template_vip_10_0_3_123_5076 slb template persist source-ip persist_ user-tag act_sfb_persist_template_ template_vip_10_0_3_123_444 vip_10_0_3_123_5076_vs_fe user-tag act_sfb_persist_template_ ! vip_10_0_3_123_444_vs_fe slb template tcp vip_10_0_3_123_135_tcp ! idle-timeout 1800 slb template persist source-ip persist_ user-tag act_sfb_vip_10_0_3_123_135_tcp_
34 vs_fe idle-timeout 1800 ! user-tag act_sfb_vip_10_0_3_123_5073_ tcp_vs_fe slb template tcp vip_10_0_3_123_443_tcp ! idle-timeout 1800 slb template tcp vip_10_0_3_123_5075_tcp user-tag act_sfb_vip_10_0_3_123_443_tcp_ vs_fe idle-timeout 1800 ! user-tag act_sfb_vip_10_0_3_123_5075_ tcp_vs_fe slb template tcp vip_10_0_3_123_444_tcp ! idle-timeout 1800 slb template tcp vip_10_0_3_123_5076_tcp user-tag act_sfb_vip_10_0_3_123_444_tcp_ vs_fe idle-timeout 1800 ! user-tag act_sfb_vip_10_0_3_123_5076_ tcp_vs_fe slb template tcp vip_10_0_3_123_4443_tcp ! idle-timeout 1800 slb server FE1 10.0.3.12 user-tag act_sfb_vip_10_0_3_123_4443_ tcp_vs_fe user-tag act_sfb_FE1 ! port 135 tcp slb template tcp vip_10_0_3_123_5061_tcp user-tag act_sfb_FE1_port_135_tcp idle-timeout 1800 sampling-enable total_conn user-tag act_sfb_vip_10_0_3_123_5061_ sampling-enable total_fwd_bytes tcp_vs_fe sampling-enable total_rev_bytes ! sampling-enable total_req slb template tcp vip_10_0_3_123_5065_tcp port 443 tcp idle-timeout 1800 user-tag act_sfb_FE1_port_443_tcp user-tag act_sfb_vip_10_0_3_123_5065_ tcp_vs_fe sampling-enable total_conn ! sampling-enable total_fwd_bytes slb template tcp vip_10_0_3_123_5070_tcp sampling-enable total_rev_bytes idle-timeout 1800 sampling-enable total_req user-tag act_sfb_vip_10_0_3_123_5070_ port 444 tcp tcp_vs_fe user-tag act_sfb_FE1_port_444_tcp ! sampling-enable total_conn slb template tcp vip_10_0_3_123_5071_tcp sampling-enable total_fwd_bytes idle-timeout 1800 sampling-enable total_rev_bytes user-tag act_sfb_vip_10_0_3_123_5071_ sampling-enable total_req tcp_vs_fe port 4443 tcp ! user-tag act_sfb_FE1_port_4443_tcp slb template tcp vip_10_0_3_123_5072_tcp sampling-enable total_conn idle-timeout 1800 sampling-enable total_fwd_bytes user-tag act_sfb_vip_10_0_3_123_5072_ tcp_vs_fe sampling-enable total_rev_bytes ! sampling-enable total_req slb template tcp vip_10_0_3_123_5073_tcp port 5061 tcp
35 user-tag act_sfb_FE1_port_5061_tcp sampling-enable total_req sampling-enable total_conn port 5076 tcp sampling-enable total_fwd_bytes user-tag act_sfb_FE1_port_5076_tcp sampling-enable total_rev_bytes sampling-enable total_conn sampling-enable total_req sampling-enable total_fwd_bytes port 5065 tcp sampling-enable total_rev_bytes user-tag act_sfb_FE1_port_5065_tcp sampling-enable total_req sampling-enable total_conn ! sampling-enable total_fwd_bytes slb server FE2 10.0.3.13 sampling-enable total_rev_bytes user-tag act_sfb_FE2 sampling-enable total_req port 135 tcp port 5070 tcp user-tag act_sfb_FE2_port_135_tcp user-tag act_sfb_FE1_port_5070_tcp sampling-enable total_conn sampling-enable total_conn sampling-enable total_fwd_bytes sampling-enable total_fwd_bytes sampling-enable total_rev_bytes sampling-enable total_rev_bytes sampling-enable total_req sampling-enable total_req port 443 tcp port 5071 tcp user-tag act_sfb_FE2_port_443_tcp user-tag act_sfb_FE1_port_5071_tcp sampling-enable total_conn sampling-enable total_conn sampling-enable total_fwd_bytes sampling-enable total_fwd_bytes sampling-enable total_rev_bytes sampling-enable total_rev_bytes sampling-enable total_req sampling-enable total_req port 444 tcp port 5072 tcp user-tag act_sfb_FE2_port_444_tcp user-tag act_sfb_FE1_port_5072_tcp sampling-enable total_conn sampling-enable total_conn sampling-enable total_fwd_bytes sampling-enable total_fwd_bytes sampling-enable total_rev_bytes sampling-enable total_rev_bytes sampling-enable total_req sampling-enable total_req port 4443 tcp port 5073 tcp user-tag act_sfb_FE2_port_4443_tcp user-tag act_sfb_FE1_port_5073_tcp sampling-enable total_conn sampling-enable total_conn sampling-enable total_fwd_bytes sampling-enable total_fwd_bytes sampling-enable total_rev_bytes sampling-enable total_rev_bytes sampling-enable total_req sampling-enable total_req port 5061 tcp port 5075 tcp user-tag act_sfb_FE2_port_5061_tcp user-tag act_sfb_FE1_port_5075_tcp sampling-enable total_conn sampling-enable total_conn sampling-enable total_fwd_bytes sampling-enable total_fwd_bytes sampling-enable total_rev_bytes sampling-enable total_rev_bytes sampling-enable total_req
36 port 5065 tcp sampling-enable total_rev_bytes user-tag act_sfb_FE2_port_5065_tcp sampling-enable total_req sampling-enable total_conn ! sampling-enable total_fwd_bytes slb server OOS1 10.0.3.15 sampling-enable total_rev_bytes user-tag act_sfb_OOS1 sampling-enable total_req port 80 tcp port 5070 tcp user-tag act_sfb_OOS1_port_80_tcp user-tag act_sfb_FE2_port_5070_tcp sampling-enable total_conn sampling-enable total_conn sampling-enable total_fwd_bytes sampling-enable total_fwd_bytes sampling-enable total_rev_bytes sampling-enable total_rev_bytes sampling-enable total_req sampling-enable total_req ! port 5071 tcp slb server OOS2 10.0.3.16 user-tag act_sfb_FE2_port_5071_tcp user-tag act_sfb_OOS2 sampling-enable total_conn port 80 tcp sampling-enable total_fwd_bytes user-tag act_sfb_OOS2_port_80_tcp sampling-enable total_rev_bytes sampling-enable total_conn sampling-enable total_req sampling-enable total_fwd_bytes port 5072 tcp sampling-enable total_rev_bytes user-tag act_sfb_FE2_port_5072_tcp sampling-enable total_req sampling-enable total_conn ! sampling-enable total_fwd_bytes slb service-group vip_10_0_3_123_135_tcp_ sg tcp sampling-enable total_rev_bytes method least-connection sampling-enable total_req health-check Hm_vip_10_0_3_123_135_tcp port 5073 tcp user-tag act_sfb_vip_10_0_3_123_135_tcp_ user-tag act_sfb_FE2_port_5073_tcp sg_vs_fe sampling-enable total_conn member FE1 135 sampling-enable total_fwd_bytes member FE2 135 sampling-enable total_rev_bytes ! sampling-enable total_req slb service-group vip_10_0_3_123_443_tcp_ port 5075 tcp sg tcp user-tag act_sfb_FE2_port_5075_tcp method least-connection sampling-enable total_conn health-check Hm_vip_10_0_3_123_443_tcp sampling-enable total_fwd_bytes user-tag act_sfb_vip_10_0_3_123_443_tcp_ sg_vs_fe sampling-enable total_rev_bytes member FE1 443 sampling-enable total_req member FE2 443 port 5076 tcp ! user-tag act_sfb_FE2_port_5076_tcp slb service-group vip_10_0_3_123_4443_tcp_ sampling-enable total_conn sg tcp sampling-enable total_fwd_bytes method least-connection
37 health-check Hm_vip_10_0_3_123_4443_tcp method least-connection user-tag act_sfb_vip_10_0_3_123_4443_tcp_ health-check Hm_vip_10_0_3_123_5071_tcp sg_vs_fe user-tag act_sfb_vip_10_0_3_123_5071_tcp_ member FE1 4443 sg_vs_fe member FE2 4443 member FE1 5071 ! member FE2 5071 slb service-group vip_10_0_3_123_444_tcp_sg ! tcp slb service-group vip_10_0_3_123_5072_tcp_ method least-connection sg tcp health-check Hm_vip_10_0_3_123_444_tcp method least-connection user-tag act_sfb_vip_10_0_3_123_444_tcp_ health-check Hm_vip_10_0_3_123_5072_tcp sg_vs_fe user-tag act_sfb_vip_10_0_3_123_5072_tcp_ member FE1 444 sg_vs_fe member FE2 444 member FE1 5072 ! member FE2 5072 slb service-group vip_10_0_3_123_5061_tcp_ ! sg tcp slb service-group vip_10_0_3_123_5073_tcp_ method least-connection sg tcp health-check Hm_vip_10_0_3_123_5061_tcp method least-connection user-tag act_sfb_vip_10_0_3_123_5061_tcp_ health-check Hm_vip_10_0_3_123_5073_tcp sg_vs_fe user-tag act_sfb_vip_10_0_3_123_5073_tcp_ member FE1 5061 sg_vs_fe member FE2 5061 member FE1 5073 ! member FE2 5073 slb service-group vip_10_0_3_123_5065_tcp_ ! sg tcp slb service-group vip_10_0_3_123_5075_tcp_ method least-connection sg tcp health-check Hm_vip_10_0_3_123_5065_tcp method least-connection user-tag act_sfb_vip_10_0_3_123_5065_tcp_ health-check Hm_vip_10_0_3_123_5075_tcp sg_vs_fe user-tag act_sfb_vip_10_0_3_123_5075_tcp_ member FE1 5065 sg_vs_fe member FE2 5065 member FE1 5075 ! member FE2 5075 slb service-group vip_10_0_3_123_5070_tcp_ ! sg tcp slb service-group vip_10_0_3_123_5076_tcp_ method least-connection sg tcp health-check Hm_vip_10_0_3_123_5070_tcp method least-connection user-tag act_sfb_vip_10_0_3_123_5070_tcp_ health-check Hm_vip_10_0_3_123_5076_tcp sg_vs_fe user-tag act_sfb_vip_10_0_3_123_5076_tcp_ member FE1 5070 sg_vs_fe member FE2 5070 member FE1 5076 ! member FE2 5076 slb service-group vip_10_0_3_123_5071_tcp_ ! sg tcp slb service-group vip_10_0_3_125_80_https_
38 sg tcp sampling-enable total_fwd_bytes method least-connection sampling-enable total_rev_bytes health-check Hm_vip_10_0_3_125_80_http sampling-enable total_conn user-tag act_sfb_vip_10_0_3_125_80_https_ port 444 tcp sg_vs_oo source-nat auto member OOS1 80 service-group vip_10_0_3_123_444_tcp_sg member OOS2 80 template persist source-ip persist_ ! template_vip_10_0_3_123_444 slb template client-ssl Cssl_ template tcp vip_10_0_3_123_444_tcp vip_10_0_3_125_443 user-tag act_sfb_frontend_vs_fe_ template cipher Ccipher_ vip_10_0_3_123_444_tcp vip_10_0_3_125_443 sampling-enable total_req chain-cert OOSCert sampling-enable total_fwd_bytes cert OOSCert sampling-enable total_rev_bytes enable-tls-alert-logging fatal sampling-enable total_conn key OOSCert port 4443 tcp user-tag act_sfb_Cssl_vip_10_0_3_125vs_ oo_443 source-nat auto ! service-group vip_10_0_3_123_4443_tcp_ sg slb virtual-server vip_10_0_3_123 10.0.3.123 template persist source-ip persist_ template_vip_10_0_3_123_4443 user-tag act_sfb_frontend_vs_fe_ vip_10_0_3_123 template tcp vip_10_0_3_123_4443_tcp port 135 tcp user-tag act_sfb_frontend_vs_fe_ vip_10_0_3_123_4443_tcp source-nat auto sampling-enable total_req service-group vip_10_0_3_123_135_tcp_sg sampling-enable total_fwd_bytes template persist source-ip persist_ template_vip_10_0_3_123_135 sampling-enable total_rev_bytes template tcp vip_10_0_3_123_135_tcp sampling-enable total_conn user-tag act_sfb_frontend_vs_fe_ port 5061 tcp vip_10_0_3_123_135_tcp source-nat auto sampling-enable total_req service-group vip_10_0_3_123_5061_tcp_ sampling-enable total_fwd_bytes sg sampling-enable total_rev_bytes template persist source-ip persist_ template_vip_10_0_3_123_5061 sampling-enable total_conn template tcp vip_10_0_3_123_5061_tcp port 443 tcp user-tag act_sfb_frontend_vs_fe_ source-nat auto vip_10_0_3_123_5061_tcp service-group vip_10_0_3_123_443_tcp_sg sampling-enable total_req template persist source-ip persist_ sampling-enable total_fwd_bytes template_vip_10_0_3_123_443 sampling-enable total_rev_bytes template tcp vip_10_0_3_123_443_tcp sampling-enable total_conn user-tag act_sfb_frontend_vs_fe_ vip_10_0_3_123_443_tcp port 5065 tcp sampling-enable total_req source-nat auto
39 service-group vip_10_0_3_123_5065_tcp_ user-tag act_sfb_frontend_vs_fe_ sg vip_10_0_3_123_5072_tcp template persist source-ip persist_ sampling-enable total_req template_vip_10_0_3_123_5065 sampling-enable total_fwd_bytes template tcp vip_10_0_3_123_5065_tcp sampling-enable total_rev_bytes user-tag act_sfb_frontend_vs_fe_ vip_10_0_3_123_5065_tcp sampling-enable total_conn sampling-enable total_req port 5073 tcp sampling-enable total_fwd_bytes source-nat auto sampling-enable total_rev_bytes service-group vip_10_0_3_123_5073_tcp_ sg sampling-enable total_conn template persist source-ip persist_ port 5070 tcp template_vip_10_0_3_123_5073 source-nat auto template tcp vip_10_0_3_123_5073_tcp service-group vip_10_0_3_123_5070_tcp_ user-tag act_sfb_frontend_vs_fe_ sg vip_10_0_3_123_5073_tcp template persist source-ip persist_ sampling-enable total_req template_vip_10_0_3_123_5070 sampling-enable total_fwd_bytes template tcp vip_10_0_3_123_5070_tcp sampling-enable total_rev_bytes user-tag act_sfb_frontend_vs_fe_ vip_10_0_3_123_5070_tcp sampling-enable total_conn sampling-enable total_req port 5075 tcp sampling-enable total_fwd_bytes source-nat auto sampling-enable total_rev_bytes service-group vip_10_0_3_123_5075_tcp_ sg sampling-enable total_conn template persist source-ip persist_ port 5071 tcp template_vip_10_0_3_123_5075 source-nat auto template tcp vip_10_0_3_123_5075_tcp service-group vip_10_0_3_123_5071_tcp_ user-tag act_sfb_frontend_vs_fe_ sg vip_10_0_3_123_5075_tcp template persist source-ip persist_ sampling-enable total_req template_vip_10_0_3_123_5071 sampling-enable total_fwd_bytes template tcp vip_10_0_3_123_5071_tcp sampling-enable total_rev_bytes user-tag act_sfb_frontend_vs_fe_ vip_10_0_3_123_5071_tcp sampling-enable total_conn sampling-enable total_req port 5076 tcp sampling-enable total_fwd_bytes source-nat auto sampling-enable total_rev_bytes service-group vip_10_0_3_123_5076_tcp_ sg sampling-enable total_conn template persist source-ip persist_ port 5072 tcp template_vip_10_0_3_123_5076 source-nat auto template tcp vip_10_0_3_123_5076_tcp service-group vip_10_0_3_123_5072_tcp_ user-tag act_sfb_frontend_vs_fe_ sg vip_10_0_3_123_5076_tcp template persist source-ip persist_ sampling-enable total_req template_vip_10_0_3_123_5072 sampling-enable total_fwd_bytes template tcp vip_10_0_3_123_5072_tcp sampling-enable total_rev_bytes
40 sampling-enable total_conn health monitor Hm_vip_10_0_4_30_443_tcp ! user-tag act_sfb_Hm_vip_10_0_4_30_443_ tcp_vs_ie slb virtual-server vip_10_0_3_125 10.0.3.125 method tcp port 443 user-tag act_sfb_frontend_vs_oo_ vip_10_0_3_125 ! port 443 https health monitor Hm_vip_10_0_4_30_3478_udp source-nat auto user-tag act_sfb_Hm_vip_10_0_4_30_3478_ udp_vs_ie service-group vip_10_0_3_125_80_https_ sg method udp port 3478 template persist cookie persist_ ! template_vip_10_0_3_125_443 health monitor Hm_vip_10_0_4_30_5061_tcp template client-ssl Cssl_ vip_10_0_3_125_443 user-tag act_sfb_Hm_vip_10_0_4_30_5061_ tcp_vs_ie user-tag act_sfb_frontend_vs_oo_ vip_10_0_3_125_443_https method tcp port 5061 sampling-enable total_req ! sampling-enable total_fwd_bytes health monitor Hm_vip_10_0_4_30_5062_tcp sampling-enable total_rev_bytes user-tag act_sfb_Hm_vip_10_0_4_30_5062_ tcp_vs_ie sampling-enable total_conn method tcp port 5062 ! ! end slb template persist source-ip persist_ template_vip_10_0_4_30_443 INTERNAL EDGE user-tag act_sfb_persist_template_ vip_10_0_4_30_443_vs_ie active-partition internal_edge ! ! slb template persist source-ip persist_ ! template_vip_10_0_4_30_3478 vlan 401 user-tag act_sfb_persist_template_ vip_10_0_4_30_3478_vs_ie untagged ethernet 2 ! router-interface ve 401 slb template persist source-ip persist_ user-tag act_sfb_internal_edge_vlan_401 template_vip_10_0_4_30_5061 ! user-tag act_sfb_persist_template_ vip_10_0_4_30_5061_vs_ie interface ethernet 2 ! enable slb template persist source-ip persist_ user-tag act_sfb_internal_edge_eth_2 template_vip_10_0_4_30_5062 ! user-tag act_sfb_persist_template_ interface ve 401 vip_10_0_4_30_5062_vs_ie user-tag act_sfb_internal_edge_ve_401 ! ip address 10.0.4.241 255.255.255.0 slb template tcp vip_10_0_4_30_443_tcp ! idle-timeout 1800 ! user-tag act_sfb_vip_10_0_4_30_443_tcp_ vs_ie ip route 0.0.0.0 /0 10.0.4.254 ! !
41 slb template tcp vip_10_0_4_30_5061_tcp user-tag act_sfb_InternalEdge2 idle-timeout 1800 port 443 tcp user-tag act_sfb_vip_10_0_4_30_5061_tcp_ user-tag act_sfb_InternalEdge2_port_443_ vs_ie tcp ! sampling-enable total_conn slb template tcp vip_10_0_4_30_5062_tcp sampling-enable total_fwd_bytes idle-timeout 1800 sampling-enable total_rev_bytes user-tag act_sfb_vip_10_0_4_30_5062_tcp_ sampling-enable total_req vs_ie port 3478 udp ! user-tag act_sfb_InternalEdge2_ slb server InternalEdge1 10.0.4.31 port_3478_udp user-tag act_sfb_InternalEdge1 sampling-enable total_conn port 443 tcp sampling-enable total_fwd_bytes user-tag act_sfb_InternalEdge1_ sampling-enable total_rev_bytes port_443_tcp sampling-enable total_req sampling-enable total_conn port 5061 tcp sampling-enable total_fwd_bytes user-tag act_sfb_InternalEdge2_ sampling-enable total_rev_bytes port_5061_tcp sampling-enable total_req sampling-enable total_conn port 3478 udp sampling-enable total_fwd_bytes user-tag act_sfb_InternalEdge1_ sampling-enable total_rev_bytes port_3478_udp sampling-enable total_req sampling-enable total_conn port 5062 tcp sampling-enable total_fwd_bytes user-tag act_sfb_InternalEdge2_ sampling-enable total_rev_bytes port_5062_tcp sampling-enable total_req sampling-enable total_conn port 5061 tcp sampling-enable total_fwd_bytes user-tag act_sfb_InternalEdge1_ sampling-enable total_rev_bytes port_5061_tcp sampling-enable total_req sampling-enable total_conn ! sampling-enable total_fwd_bytes slb service-group vip_10_0_4_30_3478_udp_sg sampling-enable total_rev_bytes udp sampling-enable total_req method least-connection port 5062 tcp health-check Hm_vip_10_0_4_30_3478_udp user-tag act_sfb_InternalEdge1_ user-tag act_sfb_vip_10_0_4_30_3478_udp_ port_5062_tcp sg_vs_ie sampling-enable total_conn member InternalEdge1 3478 sampling-enable total_fwd_bytes member InternalEdge2 3478 sampling-enable total_rev_bytes ! sampling-enable total_req slb service-group vip_10_0_4_30_443_tcp_sg tcp ! method least-connection slb server InternalEdge2 10.0.4.32 health-check Hm_vip_10_0_4_30_443_tcp
42 user-tag act_sfb_vip_10_0_4_30_443_tcp_ vip_10_0_4_30_3478_udp sg_vs_ie sampling-enable total_req member InternalEdge1 443 sampling-enable total_fwd_bytes member InternalEdge2 443 sampling-enable total_rev_bytes ! sampling-enable total_conn slb service-group vip_10_0_4_30_5061_tcp_sg tcp port 5061 tcp method least-connection source-nat auto health-check Hm_vip_10_0_4_30_5061_tcp service-group vip_10_0_4_30_5061_tcp_sg user-tag act_sfb_vip_10_0_4_30_5061_tcp_ template persist source-ip persist_ sg_vs_ie template_vip_10_0_4_30_5061 member InternalEdge1 5061 template tcp vip_10_0_4_30_5061_tcp member InternalEdge2 5061 user-tag act_sfb_internal_edge_vs_ie_ vip_10_0_4_30_5061_tcp ! sampling-enable total_req slb service-group vip_10_0_4_30_5062_tcp_sg tcp sampling-enable total_fwd_bytes method least-connection sampling-enable total_rev_bytes health-check Hm_vip_10_0_4_30_5062_tcp sampling-enable total_conn user-tag act_sfb_vip_10_0_4_30_5062_tcp_ port 5062 tcp sg_vs_ie source-nat auto member InternalEdge1 5062 service-group vip_10_0_4_30_5062_tcp_sg member InternalEdge2 5062 template persist source-ip persist_ ! template_vip_10_0_4_30_5062 slb virtual-server vip_10_0_4_30 10.0.4.30 template tcp vip_10_0_4_30_5062_tcp user-tag act_sfb_internal_edge_vs_ie_ user-tag act_sfb_internal_edge_vs_ie_ vip_10_0_4_30 vip_10_0_4_30_5062_tcp port 443 tcp sampling-enable total_req source-nat auto sampling-enable total_fwd_bytes service-group vip_10_0_4_30_443_tcp_sg sampling-enable total_rev_bytes template persist source-ip persist_ sampling-enable total_conn template_vip_10_0_4_30_443 ! template tcp vip_10_0_4_30_443_tcp end user-tag act_sfb_internal_edge_vs_ie_ vip_10_0_4_30_443_tcp sampling-enable total_req EXTERNAL EDGE sampling-enable total_fwd_bytes active-partition external_edge sampling-enable total_rev_bytes ! sampling-enable total_conn ! port 3478 udp vlan 102 source-nat auto untagged ethernet 4 service-group vip_10_0_4_30_3478_udp_sg router-interface ve 102 template persist source-ip persist_ user-tag act_sfb_external_edge_vlan_102 template_vip_10_0_4_30_3478 ! user-tag act_sfb_internal_edge_vs_ie_
43 interface ethernet 4 vip_192_0_2_113_443_vs_eeav enable ! user-tag act_sfb_external_edge_eth_4 slb template persist source-ip persist_ template_vip_192_0_2_113_3478 ! user-tag act_sfb_persist_template_ interface ve 102 vip_192_0_2_113_3478_vs_eeav user-tag act_sfb_external_edge_ve_102 ! ip address 192.0.2.1 255.255.255.0 slb template tcp vip_192_0_2_111_443_tcp ! idle-timeout 1800 ! user-tag act_sfb_vip_192_0_2_111_443_tcp_ ip route 0.0.0.0 /0 192.0.2.254 vs_eea ! ! health monitor Hm_vip_192_0_2_111_443_tcp slb template tcp vip_192_0_2_112_443_tcp user-tag act_sfb_Hm_vip_192_0_2_111_443_ idle-timeout 1800 tcp_vs_eea user-tag act_sfb_vip_192_0_2_112_443_tcp_ method tcp port 443 vs_eew ! ! health monitor Hm_vip_192_0_2_112_443_tcp slb template tcp vip_192_0_2_113_443_tcp user-tag act_sfb_Hm_vip_192_0_2_112_443_ idle-timeout 1800 tcp_vs_eew user-tag act_sfb_vip_192_0_2_113_443_tcp_ method tcp port 443 vs_eeav ! ! health monitor Hm_vip_192_0_2_113_443_tcp slb server ExternalEdge1-access 192.0.2.21 user-tag act_sfb_Hm_vip_192_0_2_113_443_ user-tag act_sfb_ExternalEdge1-access tcp_vs_eeav port 443 tcp method tcp port 443 user-tag act_sfb_ExternalEdge1-access_ ! port_443_tcp health monitor Hm_vip_192_0_2_113_3478_udp sampling-enable total_conn user-tag act_sfb_Hm_vip_192_0_2_113_3478_ sampling-enable total_fwd_bytes udp_vs_eeav sampling-enable total_rev_bytes method udp port 3478 sampling-enable total_req ! ! slb template persist source-ip persist_ slb server ExternalEdge1-av 192.0.2.23 template_vip_192_0_2_111_443 user-tag act_sfb_ExternalEdge1-av user-tag act_sfb_persist_template_ vip_192_0_2_111_443_vs_eea port 443 tcp ! user-tag act_sfb_ExternalEdge1-av_ port_443_tcp slb template persist source-ip persist_ template_vip_192_0_2_112_443 sampling-enable total_conn user-tag act_sfb_persist_template_ sampling-enable total_fwd_bytes vip_192_0_2_112_443_vs_eew sampling-enable total_rev_bytes ! sampling-enable total_req slb template persist source-ip persist_ template_vip_192_0_2_113_443 port 3478 udp user-tag act_sfb_persist_template_ user-tag act_sfb_ExternalEdge1-av_
44 port_3478_udp ! sampling-enable total_conn slb server ExternalEdge2-web 192.0.2.32 sampling-enable total_fwd_bytes user-tag act_sfb_ExternalEdge2-web sampling-enable total_rev_bytes port 443 tcp sampling-enable total_req user-tag act_sfb_ExternalEdge2-web_ port_443_tcp ! sampling-enable total_conn slb server ExternalEdge1-web 192.0.2.22 sampling-enable total_fwd_bytes user-tag act_sfb_ExternalEdge1-web sampling-enable total_rev_bytes port 443 tcp sampling-enable total_req user-tag act_sfb_ExternalEdge1-web_ port_443_tcp ! sampling-enable total_conn slb service-group vip_192_0_2_111_443_tcp_sg tcp sampling-enable total_fwd_bytes method least-connection sampling-enable total_rev_bytes health-check Hm_vip_192_0_2_111_443_tcp sampling-enable total_req user-tag act_sfb_vip_192_0_2_111_443_tcp_ ! sg_vs_eea slb server ExternalEdge2-access 192.0.2.31 member ExternalEdge1-access 443 user-tag act_sfb_ExternalEdge2-access member ExternalEdge2-access 443 port 443 tcp ! user-tag act_sfb_ExternalEdge2-access_ slb service-group vip_192_0_2_112_443_tcp_sg port_443_tcp tcp sampling-enable total_conn method least-connection sampling-enable total_fwd_bytes health-check Hm_vip_192_0_2_112_443_tcp sampling-enable total_rev_bytes user-tag act_sfb_vip_192_0_2_112_443_tcp_ sampling-enable total_req sg_vs_eew ! member ExternalEdge1-web 443 slb server ExternalEdge2-av 192.0.2.33 member ExternalEdge2-web 443 user-tag act_sfb_ExternalEdge2-av ! port 443 tcp slb service-group vip_192_0_2_113_3478_udp_ sg udp user-tag act_sfb_ExternalEdge2-av_ port_443_tcp method least-connection sampling-enable total_conn health-check Hm_vip_192_0_2_113_3478_udp sampling-enable total_fwd_bytes user-tag act_sfb_vip_192_0_2_113_3478_udp_ sg_vs_eeav sampling-enable total_rev_bytes member ExternalEdge1-av 3478 sampling-enable total_req member ExternalEdge2-av 3478 port 3478 udp ! user-tag act_sfb_ExternalEdge2-av_ port_3478_udp slb service-group vip_192_0_2_113_443_tcp_sg tcp sampling-enable total_conn method least-connection sampling-enable total_fwd_bytes health-check Hm_vip_192_0_2_113_443_tcp sampling-enable total_rev_bytes user-tag act_sfb_vip_192_0_2_113_443_tcp_ sampling-enable total_req
45 sg_vs_eeav template persist source-ip persist_ template_vip_192_0_2_113_443 member ExternalEdge1-av 443 template tcp vip_192_0_2_113_443_tcp member ExternalEdge2-av 443 user-tag act_sfb_external_edge_vs_eeav_ ! vip_192_0_2_113_443_tcp slb virtual-server vip_192_0_2_111 sampling-enable total_req 192.0.2.111 sampling-enable total_fwd_bytes user-tag act_sfb_external_edge_vs_eea_ vip_192_0_2_111 sampling-enable total_rev_bytes port 443 tcp sampling-enable total_conn service-group vip_192_0_2_111_443_tcp_ port 3478 udp sg service-group vip_192_0_2_113_3478_udp_ template persist source-ip persist_ sg template_vip_192_0_2_111_443 template persist source-ip persist_ template tcp vip_192_0_2_111_443_tcp template_vip_192_0_2_113_3478 user-tag act_sfb_external_edge_vs_eea_ user-tag act_sfb_external_edge_vs_eeav_ vip_192_0_2_111_443_tcp vip_192_0_2_113_3478_udp sampling-enable total_req sampling-enable total_req sampling-enable total_fwd_bytes sampling-enable total_fwd_bytes sampling-enable total_rev_bytes sampling-enable total_rev_bytes sampling-enable total_conn sampling-enable total_conn ! ! slb virtual-server vip_192_0_2_112 end 192.0.2.112 user-tag act_sfb_external_edge_vs_eew_ vip_192_0_2_112 REVERSE PROXY
port 443 tcp active-partition reverse_proxy service-group vip_192_0_2_112_443_tcp_ ! sg ! template persist source-ip persist_ template_vip_192_0_2_112_443 vlan 105 template tcp vip_192_0_2_112_443_tcp untagged ethernet 5 user-tag act_sfb_external_edge_vs_eew_ router-interface ve 105 vip_192_0_2_112_443_tcp user-tag act_sfb_reverse_proxy_vlan_105 sampling-enable total_req ! sampling-enable total_fwd_bytes vlan 106 sampling-enable total_rev_bytes untagged ethernet 6 sampling-enable total_conn router-interface ve 106 ! user-tag act_sfb_reverse_proxy_vlan_106 slb virtual-server vip_192_0_2_113 ! 192.0.2.113 interface ethernet 5 user-tag act_sfb_external_edge_vs_eeav_ vip_192_0_2_113 enable port 443 tcp user-tag act_sfb_reverse_proxy_eth_5 service-group vip_192_0_2_113_443_tcp_ ! sg interface ethernet 6
46 enable user-tag act_sfb_Sssl_vip_192_0_2_108_443_ vs_rp user-tag act_sfb_reverse_proxy_eth_6 ! ! slb server vip_10_0_3_123 10.0.3.123 interface ve 105 user-tag act_sfb_vip_10_0_3_123 user-tag act_sfb_reverse_proxy_ve_105 port 4443 tcp ip address 192.0.2.201 255.255.255.0 user-tag act_sfb_vip_10_0_3_123_ ! port_4443_tcp interface ve 106 sampling-enable total_conn user-tag act_sfb_reverse_proxy_ve_106 sampling-enable total_fwd_bytes ip address 10.0.4.201 255.255.255.0 sampling-enable total_rev_bytes ! sampling-enable total_req ! ! ip route 0.0.0.0 /0 192.0.2.254 slb server vip_10_0_3_125 10.0.3.125 ! user-tag act_sfb_vip_10_0_3_125 ip route 10.0.3.0 /24 10.0.4.254 port 443 tcp ! user-tag act_sfb_vip_10_0_3_125_ health monitor Hm_vip_192_0_2_108_4443_tcp port_443_tcp user-tag act_sfb_Hm_vip_192_0_2_108_4443_ sampling-enable total_conn tcp_vs_rp sampling-enable total_fwd_bytes method tcp port 4443 sampling-enable total_rev_bytes ! sampling-enable total_req health monitor Hm_vip_192_0_2_108_443_tcp ! user-tag act_sfb_Hm_vip_192_0_2_108_443_ slb service-group vip_192_0_2_108_443_tcp_ tcp_vs_rp sg tcp method tcp port 443 method least-connection ! health-check Hm_vip_192_0_2_108_443_tcp slb template cipher Ccipher_ user-tag act_sfb_vip_192_0_2_108_443_tcp_ vip_192_0_2_108_443 sg_vs_rp TLS1_RSA_AES_128_SHA member vip_10_0_3_125 443 TLS1_RSA_AES_256_SHA ! TLS1_RSA_AES_128_GCM_SHA256 slb service-group vip_192_0_2_108_4443_tcp_ TLS1_RSA_AES_256_GCM_SHA384 sg tcp TLS1_ECDHE_RSA_AES_128_SHA method least-connection TLS1_ECDHE_RSA_AES_256_SHA health-check Hm_vip_192_0_2_108_4443_tcp TLS1_ECDHE_RSA_AES_128_SHA256 user-tag act_sfb_vip_192_0_2_108_4443_ tcp_sg_vs_rp TLS1_ECDHE_RSA_AES_128_GCM_SHA256 member vip_10_0_3_123 4443 user-tag act_sfb_Ccipher_ vip_192_0_2_108_443_vs_rp ! ! slb template client-ssl Cssl_ vip_192_0_2_108_443 slb template server-ssl Sssl_ vip_192_0_2_108_443 template cipher Ccipher_ vip_192_0_2_108_443 ca-cert InternalRootCA chain-cert SSL_Cert
47 cert SSL_Cert ip anomaly-drop land-attack enable-tls-alert-logging fatal ip anomaly-drop out-of-sequence 10 key SSL_Cert ip anomaly-drop ping-of-death user-tag act_sfb_Cssl_vip_192_0_2_108vs_ ip anomaly-drop tcp-no-flag rp_443 ip anomaly-drop tcp-syn-fin ! ip anomaly-drop tcp-syn-frag slb template http templ_http_ vip_192_0_2_108_443_tcp ! host-switching equals oos.s4b.com partition frontend id 1 application-type adc service-group vip_192_0_2_108_443_tcp_sg user-tag act_sfb_frontend user-tag act_sfb_templ_http_ ! vip_192_0_2_108_443_tcp_vs_rp partition internal_edge id 2 application- ! type adc slb virtual-server vip_192_0_2_108 user-tag act_sfb_internal_edge 192.0.2.108 ! user-tag act_sfb_reverse_proxy_vs_rp_ vip_192_0_2_108 partition external_edge id 3 application- type adc port 443 https user-tag act_sfb_external_edge source-nat auto ! service-group vip_192_0_2_108_4443_tcp_ sg partition reverse_proxy id 4 application- type adc template http templ_http_ vip_192_0_2_108_443_tcp user-tag act_sfb_reverse_proxy template server-ssl Sssl_ ! vip_192_0_2_108_443 interface management template client-ssl Cssl_ vip_192_0_2_108_443 ip address 10.100.2.144 255.255.255.0 user-tag act_sfb_reverse_proxy_vs_rp_ ip default-gateway 10.100.2.1 vip_192_0_2_108_443_https ! sampling-enable total_req interface ethernet 1 sampling-enable total_fwd_bytes ! sampling-enable total_rev_bytes interface ethernet 2 sampling-enable total_conn ! ! interface ethernet 3 end ! interface ethernet 4 SHARED PARTITION ! ip anomaly-drop packet-deformity layer-3 interface ethernet 5 ip anomaly-drop packet-deformity layer-4 ! ip anomaly-drop security-attack layer-3 interface ethernet 6 ip anomaly-drop security-attack layer-4 ! ip anomaly-drop bad-content 10 ! ip anomaly-drop frag end ip anomaly-drop ip-option
48 APPENDIX B – APPCENTRIC TEMPLATES UPGRADE To upgrade ACT to the latest version, one of the following two methods can be used:
UPGRADING ACT USING CLOUD-BASED UPDATE ACT can be upgraded to the latest version directly from the cloud.
To do so, login to ACOS GUI and navigate to System > App Template. This will take you to the current version of ACT available on your device. If prompted, login to ACT using your ACOS credentials.
From the landing page, navigate to the Settings page.
Note: Depending on the ACT version you are currently using, you will either find the Settings link on the left pane or as a gear icon in the top right corner of the screen.
1. Under the Update tab on the Settings page, click on the refresh icon next to “ACT File Name” dropdown menu.
2. Select the desired ACT build from the dropdown menu and verify that your ACOS version is listed below for compatibility.
3. Also make sure that the Application for which you want to upgrade ACT is included in the build.
4. Click Update.
Note: You can find the current version of ACT running on your device by navigating to the About tab on the Settings page
49 UPGRADING ACT USING MANUAL UPDATE If your current ACT version does not support cloud-based updates, you can use the manual update option to upgrade to an intermediary version that does support cloud-based updates. You can then update to your desired ACT version using the steps mentioned above.
The intermediary ACT version can be downloaded as a tar.gz file to your computer from this link or by navigating to the More section of the A10 Networks Support Portal. Make sure that the package is not decompressed.
Note: This ACT version requires your device to be upgraded to ACOS version 4.1.1-P3 or later.
To start, login to ACOS GUI and navigate to System > App Template Import.
The following pop-up will appear:
• Click Select File and browse to the package downloaded earlier. • Click Upgrade.
Note: At this point, wait patiently and do not close the window or interrupt the upgrade process in any way.
50 Once successfully upgraded, either click on the Jump Now! link that appears in the popup, or navigate to System > App Template from the ACOS GUI.
Note: In rare cases, after updating the ACT, you might experience that the ACT isn’t loading. In such a scenario, logout from the ACOS GUI, and clear any cookies from the browser that are related to the A10 GUI or ACT. Alternatively, you can also clear the whole browser cache and then launch ACT.
ABOUT A10 NETWORKS A10 Networks (NYSE: ATEN) provides Reliable Security Always™ through a range of high-performance solutions that enable intelligent automation with deep machine learning to ensure business critical applications are protected, reliable and always available. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers globally with offices worldwide.
For more information, visit: a10networks.com or tweet @a10Networks.
©2018 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, A10 Thunder, A10 Lightning, LEARN MORE A10 Harmony and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility ABOUT A10 NETWORKS for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks. CONTACT US a10networks.com/contact Part Number: A10-DG-16165-EN-02 AUG 2018
51